HIPAA-Compliant Billing for Private Practices

The Do’s and Don’ts of HIPAA-Compliant Billing

When you hear HIPAA, you might think about medical reports, treatment plans, or progress notes. But did you know that HIPAA-privacy regulations also cover how you get paid for therapy? It’s true! Whether you’re billing for self-pay or insurance sessions, your billing process must be HIPAA-compliant.

This is especially important when you’re offering telehealth or teletherapy services since you’re not accepting payment at the point of service as you would with in-person appointments.

How to Ensure Compliance Every Step of the Way

The basics of billing actually are simple: provide a service, generate an invoice, superbill, or claim, share with the payer (client or insurance company), and then get paid for your work. Here’s each step you need to consider to make sure you’re complying with HIPAA regulations.

1. Generate an invoice, superbill, or claim.

You can’t use just any invoicing software for this. It’s important to do the investigative work to determine if your invoicing software is HIPAA-compliant. For example—QuickBooks®, Wave, PayPal, and Zelle® do not meet HIPAA requirements.

Certain vendors, like Venmo, even have explicit language in their Terms of Use that forbids the use of their software for healthcare-related transactions. This means many different types of practices—like speech therapy—can’t safely use this payment solution.

While using payment processors does not fall under the HIPAA regulation, invoicing and billing needs to comply with HIPAA requirements. By using SimplePractice, customers are already protected because they have a signed BAA with SimplePractice from the second they sign up for a trial or paid account. A BAA is required for invoice processing—not payment processing—so there’s no need to sign any additional BAA.

Why does your invoicing software need to be HIPAA-compliant? It’s because invoices contain all sorts of Protected Health Information (PHI) on it. As soon as you put the client’s full name, the service performed, or a CPT or ICD-10 code on your billing document, it’s considered PHI—and that falls under HIPAA regulations.

To create a HIPAA-compliant invoice without an EHR solution, you can generate it in a Word or Excel document as long as you password-protect it. If you use an EHR, most platforms will automatically create claims, invoices, and superbills for you based on appointments or services rendered.

2. Share a billing document.

If you use a software solution like SimplePractice, you can securely generate and send any billing documents to clients or insurance companies straight from the platform.

If you’re not currently using an EHR, you must use a HIPAA-compliant email to securely send invoices. Check out Google’s G Suite or Microsoft Office 365 for a HIPAA-friendly solution. If you’re sending invoices or claim information to a billing company, your only option may be to fax it.

3. Get paid.

Now that you’ve created an invoice and figured out how to securely send it to the client, you need to get paid. In the same way you shouldn’t generate an invoice through a non-HIPAA-compliant service—like QuickBooks® or PayPal—you can’t accept payment through them either.

Again, their Terms of Use don’t typically cover healthcare services. This means you’d be in violation of both the processor’s terms and HIPAA regulations if you send client invoices via those services.

That leaves you with cash and check as your only options. However, one workaround is to create the invoice or superbill, send it to the client via a secure email, then have them pay using an on-the-spot payment capture solution like Square or Stripe.

But really, the easiest way to get paid is to use an EHR. You can generate claims, send them to clients, and get paid easily—all from one platform. Plus, if you sign up for the insurance company’s Electronic Remittance Advice forms (ERAs) and Electronic Funds Transfer (EFT), you can receive an electronic Explanation of Benefits (EOB). That way the insurance company can directly deposit payments into your business checking account.

If a client is paying privately, they can use the credit card processor in your EHR to securely pay that bill right from their Client Portal. The money will be deposited into your business bank account as soon as it becomes available.

Why Billing Should Be Done on an EHR

Whether you work with insurance or private-pay clients, the right EHR solution can streamline all of your billing needs and ensure your entire process is HIPAA-compliant. No matter what solution you choose to implement as your payment system, make sure it’s helping you run a compliant and successful practice.